Moritz Naumann reported multiple cross-site scripting (XSS) flaws, present in the way Cacti web interface used to process HTML form content. If a remote attacker could trick a local user who is logged into Cacti into visiting a specially-crafted HTML page, the attacker could retrieve and potentially modify confidential Cacti data. References: ----------- http://www.cacti.net/download_patches.php http://www.securityfocus.com/bid/37109/info http://docs.cacti.net/#cross-site_scripting_fixes Upstream patch: --------------- http://www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patch CVE Request: ------------ http://www.openwall.com/lists/oss-security/2009/11/25/2
This issue affects the versions of the cacti package, as shipped with Fedora releases of 10, 11, and 12 and as shipped within Extra Packages for Enterprise Linux 4 (EPEL-4) and 5 (EPEL-5) projects. Please fix.
This is CVE-2009-4032.
More elaborated description of each particular issue (including reproducers) by Moritz Naumann is here: http://seclists.org/fulldisclosure/2009/Nov/291
Mitre's CVE-2009-4032 record: ----------------------------- Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php.
cacti-0.8.7e-3.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/cacti-0.8.7e-3.el4
cacti-0.8.7e-3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cacti-0.8.7e-3.fc11
cacti-0.8.7e-3.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/cacti-0.8.7e-3.el5
cacti-0.8.7e-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/cacti-0.8.7e-3.fc10
cacti-0.8.7e-3.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/cacti-0.8.7e-3.fc12
cacti-0.8.7e-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.7e-3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.7e-3.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.7e-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Upstream fix does not properly address XSS 4. It adds validation for graph_start and graph_end, but that only happens after including include/top_graph_header.php, which may output those values without validation.
(In reply to comment #17) > Upstream fix does not properly address XSS 4. It adds validation for > graph_start and graph_end, but that only happens after including > include/top_graph_header.php, which may output those values without > validation. This is now fixed upstream in 0.8.7g: http://cacti.net/release_notes_0_8_7g.php http://svn.cacti.net/viewvc/cacti/branches/0.8.7/include/top_graph_header.php?r1=6025&r2=6024 http://svn.cacti.net/viewvc?view=rev&revision=6025
(In reply to comment #17) > Upstream fix does not properly address XSS 4. It adds validation for > graph_start and graph_end, but that only happens after including > include/top_graph_header.php, which may output those values without > validation. This got CVE-2010-2543.
This issue has been addressed in following products: Red Hat HPC Solution for RHEL 5 Via RHSA-2010:0635 https://rhn.redhat.com/errata/RHSA-2010-0635.html